update row with array items into database php

Question

I am trying to update a record in my database with values pulled from an exploded array

    $arr2 = explode(",",$_POST['hidden-tags']); 
   //echo $arr2[0];

   //insert new rows into blog post
    mysql_select_db($db, $db);
 $insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4]  WHERE idblog = '$id' ",$dbconnet);

If I echo the values from my array one at a time it works great. Once I try to put them in the db the row turns up empty. Whats more the user may not of entered 5 items they may only have entered 1 but I dont think thats really the problem. To be honest I cant see why its currently failing at all.

I know I can save all values in one field but it will be easier as separate fieldsfor when I pull back and query later on.

score 1 · Answer 1 · answered Feb 06 '13 at 11:16

$insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4]  WHERE idblog = '$id' ",$dbconnet);

should be:

$insertq = mysql_query("UPDATE blog SET tags1 = '".$arr2[0]."',tags2 = '".$arr2[1]."',tags3 = '".$arr2[2]."', tags4 = '".$arr2[3]."', tags5 = '".$arr2[4]."'  WHERE idblog = '".$id."' ,$dbconnet);

or the whole query is going to consider the variables names as part of the string

EDITED: i had the quotes inverted.

score 1 · Accepted Answer · edited May 23 '17 at 10:24

1

if the data types of the columns are string, values must be wrap with single quotes as they are string literals. eg,

$insertq = mysql_query("UPDATE blog SET tags1 = '". $arr2[0] . "',....");

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

edited May 23 '17 at 10:24

Community

1
1

answered Feb 06 '13 at 11:17

John Woo

258,903
69
498
492

Thank you for your answer. Data has already been sanitised by this point which is why there is no sql injection protection. Your answer solved my issue. Cant believe I overlooked '".."' as thats something I already knew. Time for a break maybe – Daniel Robinson Feb 06 '13 at 11:25
Im using dreamweaver built in functions so GetvalueString($VALUE, "text") – Daniel Robinson Feb 06 '13 at 12:41

score 1 · Answer 3 · answered Feb 06 '13 at 11:18

1

It should be like this :

$insertq = mysql_query("UPDATE blog SET tags1 = "'.$arr2[0].'",tags2 = "'.$arr2[1].'",tags3 = "'.$arr2[2].'", tags4 = "'.$arr2[3].'", tags5 = "'.$arr2[4].'"  WHERE idblog = "'.$id.'" ",$dbconnet);

answered Feb 06 '13 at 11:18

Devang Rathod

6,650
2
23
32

score 1 · Answer 4 · answered Feb 06 '13 at 11:19

I think you might need to look at the datatypes of your table. If you are using varchar or text as data-types then single colon will be necessary.

$insertq = mysql_query("UPDATE blog SET tags1 =' $arr2[0]',tags2 = '$arr2[1]',tags3 = '$arr2[2]', tags4 = '$arr2[3]', tags5 = '$arr2[4]'  WHERE idblog = '$id' ",$dbconnet);

Also if the idblog is integer then donot use single quotes.

hope this helps

update row with array items into database php

4 Answers4